Python MISP.MISP Exemples

Exemple #1

def test_misp_all_urls():
    r = MISP()
    r.misp = mock.MagicMock()
    r.misp.add_url.return_value = None

    r.all_urls(
        {
            "network": {
                "http_ex": [
                    {
                        "protocol": "http",
                        "host": "hello",
                        "uri": "/bar",
                    },
                ],
                "https_ex": [
                    {
                        "protocol": "https",
                        "host": "hello",
                        "uri": "/foobar",
                    },
                ],
            },
        }, "event")
    r.misp.add_url.assert_called_once_with(
        "event", ["http://hello/bar", "https://hello/foobar"])

Exemple #2

def test_misp_domain_ipaddr():
    r = MISP()
    r.misp = mock.MagicMock()
    r.misp.add_domains_ips.return_value = None
    r.misp.add_ipdst.return_value = None

    r.domain_ipaddr({
        "network": {
            "domains": [
                {
                    "domain": "foobar",
                    "ip": "1.2.3.4",
                },
                {
                    # TODO Now that we have global whitelisting, this
                    # custom-made support for the MISP reporting module should
                    # probably be removed.
                    "domain": "time.windows.com",
                    "ip": "1.2.3.4",
                },
            ],
            "hosts": [
                "2.3.4.5",
                "3.4.5.6",
            ],
        },
    }, "event")
    r.misp.add_domains_ips.assert_called_once_with(
        "event", {
            "foobar": "1.2.3.4",
        },
    )
    r.misp.add_ipdst.assert_called_once_with(
        "event", ["2.3.4.5", "3.4.5.6"],
    )

Exemple #3

def test_misp_maldoc():
    r = MISP()
    r.misp = mock.MagicMock()
    r.misp.add_url.return_value = None

    r.maldoc_network({
        "signatures": [
            {
                "name": "foobar",
            },
            {
                "name": "malicious_document_urls",
                "marks": [
                    {
                        "category": "file",
                    },
                    {
                        "category": "url",
                        "ioc": "url_ioc",
                    }
                ],
            },
        ],
    }, "event")
    r.misp.add_url.assert_called_once_with("event", ["url_ioc"])

Exemple #4

Fichier : test_reporting.py Projet : ohyeah521/cuckoo-1

def test_misp_family():
    r = MISP()
    r.misp = mock.MagicMock()
    r.misp.add_detection_name.return_value = None
    r.misp.add_url.return_value = None
    r.misp.add_mutex.return_value = None
    r.misp.add_useragent.return_value = None

    r.family({
        "metadata": {
            "cfgextr": [
                {
                    "family": "3x4mpl3",
                    "cnc": ["example.com/gate.php"]
                },
                {
                    "family": "3x4mpl3_2",
                    "url": ["http://example.org"]
                },
                {
                    "family": "3x4mpl3_3",
                    "mutex": ["@@@@@@"],
                    "user_agent": ["M3mebr0wz0r V42"]
                }
            ]
        }
    }, "event")

    assert r.misp.add_detection_name.call_count == 3
    r.misp.add_detection_name.assert_has_calls([
        mock.call("event", "3x4mpl3", "External analysis"),
        mock.call("event", "3x4mpl3_2", "External analysis"),
        mock.call("event", "3x4mpl3_3", "External analysis")
    ])

    assert r.misp.add_url.call_count == 2
    r.misp.add_url.assert_has_calls([
        mock.call("event", "example.com/gate.php"),
        mock.call("event", "http://example.org")
    ])

    r.misp.add_mutex.assert_called_once_with("event", "@@@@@@")
    r.misp.add_useragent.assert_called_once_with("event", "M3mebr0wz0r V42")

Exemple #5

def test_misp_sample_hashes():
    r = MISP()
    r.misp = mock.MagicMock()

    r.misp.add_hashes.return_value = None
    r.sample_hashes({
        "target": {
            "file": {
                "name": "foobar",
                "md5": "m d 5",
                "sha1": "sha one",
                "sha256": "sha 256",
            },
        },
    }, "event")
    r.misp.add_hashes.assert_called_once_with(
        "event", category="Payload delivery", filename="foobar",
        md5="m d 5", sha1="sha one", sha256="sha 256",
        comment="File submitted to Cuckoo"
    )

Exemple #6

Fichier : export.py Projet : tosto92/cuckoo

    def misp_export(task_id, report=None):
        """
        Uploads the report to the MISP instance using the reporting module.
        :param task_id: task id
        :param report: additional report dict
        """

        report_path = cwd("reports", "report.json", analysis=task_id)
        task_path = cwd("", "task.json", analysis=task_id)

        j = open(report_path)
        results = json.load(j)

        t = open(task_path)
        task = json.load(t)

        m = MISP()
        options = config2("reporting", 'misp')
        m.set_task(task)
        m.set_options(options)

        m.run(results)

Exemple #7

Fichier : test_reporting.py Projet : ohyeah521/cuckoo-1

def test_misp_domain_ipaddr():
    set_cwd(tempfile.mkdtemp())
    r = MISP()
    r.misp = mock.MagicMock()
    r.misp.add_domains_ips.return_value = None
    r.misp.add_ipdst.return_value = None

    r.domain_ipaddr({
        "network": {
            "domains": [
                {
                    "domain": "foobar",
                    "ip": "1.2.3.4",
                },
                {
                    "domain": "time.windows.com",
                    "ip": "1.2.3.4",
                },
                {
                    "domain": "www.msftncsi.com",
                    "ip": "95.101.2.42"
                }
            ],
            "hosts": [
                "2.3.4.5",
                "3.4.5.6",
                "8.8.8.8"
            ],
        },
    }, "event")
    r.misp.add_domains_ips.assert_called_once_with(
        "event", {
            "foobar": "1.2.3.4",
        },
    )
    r.misp.add_ipdst.assert_called_once_with(
        "event", ["2.3.4.5", "3.4.5.6"],
    )

Exemple #8

Fichier : test_reporting.py Projet : ohyeah521/cuckoo-1

def test_misp_signatures():
    r = MISP()
    r.misp = mock.MagicMock()
    r.misp.add_internal_comment.return_value = None

    with open("tests/files/reportsignatures.json", "rb") as fp:
        signatures = json.load(fp)

    r.signature({"signatures": signatures}, "event")

    assert r.misp.add_internal_comment.call_count == 36
    r.misp.add_internal_comment.assert_has_calls([
        mock.call("event", "Creates a service - (T1031, CreateServiceW)"),
        mock.call("event", "Searches running processes potentially to identify"
                           " processes for sandbox evasion, code injection or"
                           " memory dumping -"
                           " (T1057, Process32FirstW, Process32NextW)"),
        mock.call("event", "TTP: T1054, short: Indicator Blocking"),
        mock.call("event", "Disables Windows Security features -"
                           " (T1089, T1112, attempts to disable user access"
                           " control)"),
        mock.call("event", "Communicates with host for which no DNS query was"
                           " performed - (200.87.164.69)")
    ], any_order=True)